I have two inputs. One input contains the user and the MAC address and one input contains the MAC address and the IP address. For both inputs I have created a table in a dashboard.
If I want to know which user belongs to an IP address, I first filter for the IP to obtain the MAC address, afterwards I change the filter to MAC address to obtain the user. Is there a way to reduce this to one step, by e.g., merging the two inputs based on the MAC address?
I have looked in the documentation but have not found a solution. But I am also relatively inexperienced with Graylog. Maybe someone can give me a tip?
If this is a global search, meaning it will search all indices, You can do this through a Widget/Aggregation.
Mine is setup a little different, But I think I get what you want.
Example, below is the My user and the IP/FQDN on what devices.
Thank you very much for your answer! Unfortunately it didn’t solve my problem.
Maybe I need to explain my problem a little more:
I have 2 Inputs. Both Inputs are displayed in their own Table/Aggregation in my Dashboard.
Input 1 (Access Points):
• IP Address
• MAC Address
Input 2 (Radius):
• MAC Address
• User ID
Challenge: I am getting a suspicious IP Address and I want to know which user belongs to that DHCP IP.
Steps I currently need to solve this:
1.Filter for the IP in the Dashbaord to obtain the MAC Address out of the Access Points table.
2.Then I change the filter to this MAC Address to obtain the User ID out of the Radius table.
In order to reduce this to one step, you suggested I should create a Table/Aggregation containing User ID and IP Address. However, since both MAC Address Fields are from two different Inputs, Graylog can not aggregate.
Ok I see now, You created two widget on a dashboard each of these widgets is using a specific INPUT. So this mean you have a field/s for the following, Correct me if I’m wrong.
MAC Address
Access Points
User ID
The way I look at it the MAC Address (field) is the common denominator between the two widgets.
Here is a mockup of three fields, remind you I don’t have the same fields as you do but I think you get the hint,
If your trying to filter them down by using INPUT’s for the widgets, I would suggest creating a stream /rules to grab what you need from those inputs then add that stream to the widget I showed above.
That is incorrect so long as they have the same name called MAC _ADDRESS but what I noticed was you may have to move the rows around a little bit. Meaning if the message all have mac_add, userID fields then those fields should be on top followed by AP field. Not sure it it will work but you can give it a try and what what the outcome is
